Heads Up !

[DjM]

Not sure if this is just being 'over-hyped', but I have seen a lot of alerts along this line over the past few days.

The Canadian Cyber Incident Response Centre (CCIRC) has received reports of a new e-mail-based technique for spreading Trojan horse programs. Because of the nature of this technique, standard defensive measures such as anti-virus software and firewalls are not completely effective. As a result, the risk of critical infrastructure networks being compromised by attacks employing this technique is significant.

The "From" address of the e-mail is spoofed, making it appear to come from a colleague or reliable third party organization;

The subject line and text of the e-mails appear relevant to the recipient’s work, or may be copied from a previous legitimate e-mail; and

The attachment name and type appear relevant to the text and to the recipient’s work

Now I personally haven't run into anything related to this yet (has anyone seen this type of activity?) so I tend to believe this may be a bit of an over reaction but I could be wrong.

Full Alert Message

Cheers:

[Negative]

I had two customers last weekend with this thing (which Avast categorized as Mytob): turns off AV (Norton in this case), and was caused by an email supposedly sent by Comcast (the customers' ISP). Both indeed seemed to have taken their subject line ("Comcast Administration: your account" or something) from other emails/data, and both of the messages were pretty convincing. Both had the trojan-infected attachment.

[DjM]

Originally posted here by Negative
I had two customers last weekend with this thing (which Avast categorized as Mytob): turns off AV (Norton in this case), and was caused by an email supposedly sent by Comcast (the customers' ISP). Both indeed seemed to have taken their subject line ("Comcast Administration: your account" or something) from other emails/data, and both of the messages were pretty convincing. Both had the trojan-infected attachment.

I am not sure if this is related to the Mytob outbreak (what, there must be a couple of hundred versions of this one by now ), but I may be wrong. I guess it's how some of these agencies interpret the information they are receiving.

Cheers:

[Tiger Shark]

I beleive you will find this to be a manifestation of this, (Top of the headilnes).

[EDIT]

The bastiges changed the main page right after I posted.....

[/EDIT]

[cashmoney]

Tiger Shark you're right. I've been watching this and what is unique is that it masquerades as something sent from your ISP saying that because of security reasons your accounts been locked and titles such as this. Enter trojan.

[Computernerd22]

had two customers last weekend with this thing (which Avast categorized as Mytob): turns off AV (Norton in this case), and was caused by an email supposedly sent by Comcast (the customers' ISP). Both indeed seemed to have taken their subject line ("Comcast Administration: your account" or something) from other emails/data, and both of the messages were pretty convincing. Both had the trojan-infected attachment

I had a few customers infected with something very similar to this except this was on the BellSouth network both ADSL and Dial up. It came in as a Email with Attached Virus

The email appears in the inbox with the subject line *DETECTED* Online
User Violation. The email has an attached zip file. Came in German and English. Anyways I took care of the customers issue and informed the customer to report the incident to the Abuse Department for tracking. On a side note; I am surprised how many people got infected with this thing. I asked one customer and he stated "It said it was from Bellsouth so I downloaded it and ran it, Next thing I know my computer is acting really slow and not running right," lol.

[Egaladeist]

Hi DjM,

I'm sure it's not an over-reaction...our government never over-reacts or gets hyped-up over anything.

Eg

[DjM]

Originally posted here by Egaladeist
Hi DjM,

I'm sure it's not an over-reaction...our government never over-reacts or gets hyped-up over anything.

Eg

You have been drinking again, haven't you Egaladeit

Cheers:

[Tedob1]

last week after an apparent "brute-force" mailing attack the only account with a common type name, 'fran' for 'franchisse' had a message in its box with an attachment.

the email was listed as comming from the administrator of my company stating that this person had sent out a mass mailing and her account was suspended until she replied. (although the ip addy was from an LA Calif ISP). last week an employee (VP) in that dept sent a message with a 2Mb pdf attached to 8000 people. it was not unsolicited mail but this big shot still was breaking policy and now has very limited rights

the attachment was a zip file called important.document.zip and contained a file "important.document.htm <70 spaces> .exe

now this sounds allot like netsky.p but symantec still doesn't see it as a virus.

[rapier57]

Originally posted here by Tedob1
...
the attachment was a zip file called important.document.zip and contained a file "important.document.htm <70 spaces> .exe

now this sounds allot like netsky.p but symantec still doesn't see it as a virus.

I saw some of those when they first started showing up (file size 57kb). I've been updating daily or twice daily and Symantec sees this as a Mytob-type worm now. Didn't right away, even though it uses the same methods and does the same types of activities in the registry as earlier Mytob worms.